[Content]
Forwarded from TWCERTCC-200-202509-00000015

【CVE-2025-20333】 A critical security vulnerability (CVE-2025-20333, CVSS: 9.9) exists in the VPN web servers of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD). The vulnerability is caused by improper validation of user-supplied HTTP(S) requests. An attacker with valid VPN user credentials can exploit this flaw with specially crafted HTTP requests, allowing an authenticated remote attacker to execute arbitrary code as root on the affected device.

【CVE-2025-20363】 A critical security vulnerability (CVE-2025-20363, CVSS: 9.0) exists in the web services of Cisco Adaptive Security Appliance (ASA), Cisco Firepower Threat Defense (FTD) software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software. The vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could send specially crafted HTTP requests to the web services of affected devices to execute arbitrary code as root, potentially causing denial of service on the affected device.

Information Sharing Level: WHITE (Information content can be publicly disclosed)

[Affected Platform]
1.It is recommended to check the official website for the affected versions to determine whether your system is impacted by this vulnerability: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB

2.It is recommended to check the official website for the affected versions to determine whether your system is impacted by this vulnerability: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O"